This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.
The remote openSUSE host is missing a security update.
- tor 0.2.4.22 [bnc#878486] Tor was updated to the
recommended version of the 0.2.4.x series.
- major features in 0.2.4.x :
- improved client resilience
- support better link encryption with forward secrecy
- new NTor circuit handshake
- change relay queue for circuit create requests from
size-based limit to time-based limit
- many bug fixes and minor features
- changes contained in 0.2.4.22: Backports numerous
high-priority fixes. These include blocking all
authority signing keys that may have been affected by
the OpenSSL 'heartbleed' bug, choosing a far more secure
set of TLS ciphersuites by default, closing a couple of
memory leaks that could be used to run a target relay
out of RAM.
- Major features (security)
- Block authority signing keys that were used on
authorities vulnerable to the 'heartbleed' bug in
- Major bugfixes (security, OOM) :
- Fix a memory leak that could occur if a microdescriptor
parse fails during the tokenizing step.
- Major bugfixes (TLS cipher selection) :
- The relay ciphersuite list is now generated
automatically based on uniform criteria, and includes
all OpenSSL ciphersuites with acceptable strength and
- Relays now trust themselves to have a better view than
clients of which TLS ciphersuites are better than
- Clients now try to advertise the same list of
ciphersuites as Firefox 28.
- includes changes from 0.2.4.21: Further improves
security against potential adversaries who find breaking
1024-bit crypto doable, and backports several stability
and robustness patches from the 0.2.5 branch.
- Major features (client security) :
- When we choose a path for a 3-hop circuit, make sure it
contains at least one relay that supports the NTor
circuit extension handshake. Otherwise, there is a
chance that we're building a circuit that's worth
attacking by an adversary who finds breaking 1024-bit
crypto doable, and that chance changes the game theory.
- Major bugfixes :
- Do not treat streams that fail with reason
END_STREAM_REASON_INTERNAL as indicating a definite
circuit failure, since it could also indicate an
ENETUNREACH connection error
- includes changes from 0.2.4.20 :
- Do not allow OpenSSL engines to replace the PRNG, even
when HardwareAccel is set.
- Fix assertion failure when AutomapHostsOnResolve yields
an IPv6 address.
- Avoid launching spurious extra circuits when a stream is
- packaging changes :
- remove init script shadowing systemd unit
- general cleanup
- Add tor-fw-helper for UPnP port forwarding; not used by
- fix logrotate on systemd-only setups without init
scripts, work tor-0.2.2.37-logrotate.patch to
- verify source tarball signature
See also :
Update the affected tor packages.
Risk factor :
High / CVSS Base Score : 9.4
Public Exploit Available : true